And like I said earlier, the amount of negotiation when there are multiple prefixes to protect is limited to one. With "modern ipsec tunneling" (got to love that), there is still a lot of negotiation going on.
We are talking about potentially hundreds of subnets behind a branch here. On 16 Nov 2011, at 10:51, Yoav Nir wrote: > On Nov 16, 2011, at 9:32 AM, Tero Kivinen wrote: > >>> What you call other fancy features is what I call functional separation. >>> IPsec does encryption well, but in reality it does a fairly poor job of >>> tunneling. So lets have IPsec do what it does well and have GRE do what >>> it does well and that is tunneling. >> >> So you still didn't explain what GRE does better than modern IPsec >> tunneling? > > I think GRE (or any tunnel that is not IPsec - like L2TP) allows them to > avoid having to deal with RFC 4301 stuff like SPD. The only selector they > need is for the GRE tunnel (protocol 43?) or the L2TP tunnel (UDP 1701). > > That means that your security policy is effectively determined by the routing > protocol. > > Yoav > > _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec